| 小米手环5 NFC 自定义NFC数据方法综述 | 您所在的位置:网站首页 › 小米手环5设置自定义勿扰 › 小米手环5 NFC 自定义NFC数据方法综述 |
小米手环5 NFC 自定义NFC数据方法综述
|
结论: 方案1.小米手环5 NFC可以通过修改HTTPS的POST 数据来自定义NFC卡片的所有扇区数据; 方案2.先手环复制一张没有加密的实体门禁卡(实体门禁卡卡号要提前写成自己想要的卡号),并且启用,然后通过电脑+NFC读卡器(ACR122U)直接修改这张卡的数据。除去0扇区第0行外,其它所有数据都可以修改。因为0扇区第0行包含卡号、校验码和厂商码,所以小米手环不允许改。 着重介绍一下方案1: 方案1的实现: 可以借鉴我以前的小米手环3 NFC数据修改的方式借鉴电脑抓包和改包。https://www.cnblogs.com/storyline/articles/9986860.html 抓包改包软件很多,自行选择。 起作用的两个链接和请求体参数 第一个api和参数: https://api-mifit-cn.huami.com/nfc/accessCard/script/init?r=A07A0065-DAC1-4C29-82DA-C30B664A37FA&t=1592767900198 Request Body为: { "fareCardType": 0, "fetch_adpu_mode": "SYNC", "product_sub_type": "", "sak": "08", "uid": "12345678", "aid": "", "atqa": "0400", "size": 1024, "action_type": "copyFareCard", "blockContent": "1234567870880400C08E3B50596010130000000000ABCDEFGH00000000000000000000000000000ABCDEFGH000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ABCDEFGH00000000ffffffffffffff078069ffffffffffff00000000000000000000000000000000000000000000000000000000000000000000ABCDEFGH00000000000000000000ffffffffffffff078069ffffffffffff0000000000000000000000000000000ABCDEFGH000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000ABCDEFGH00000000000000ABCDEFGH000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000ABCDEFGH0000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000ABCDEFGH00000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000000000000000000ABCDEFGH00000000000000ABCDEFGH00000000000000000000000000ABCDEFGH000ffffffffffffff078069ffffffffffff"} 第二个api和参数: https://api-mifit-cn.huami.com/nfc/accessCard/script/request?r=A07A0065-DAC1-4C29-82DA-C30B664A37FA&t=1592767901974 Request Body为: { "uid": "12345678", "fareCardType": 0, "product_sub_type": "", "blockContent": "1234567870880400C08E3B50596010130000000000ABCDEFGH00000000000000000000000000000ABCDEFGH000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ABCDEFGH00000000ffffffffffffff078069ffffffffffff00000000000000000000000000000000000000000000000000000000000000000000ABCDEFGH00000000000000000000ffffffffffffff078069ffffffffffff0000000000000000000000000000000ABCDEFGH000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000000000000ABCDEFGH0000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000000000000ABCDEFGH00000000000000ABCDEFGH000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff000000000000000000ABCDEFGH0000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000ABCDEFGH00000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff078069ffffffffffff00000000000000000000000000000ABCDEFGH00000000000000ABCDEFGH00000000000000000000000000ABCDEFGH000ffffffffffffff078069ffffffffffff", "fetch_adpu_mode": "SYNC", "session": "3581-547405239-44086875137", "size": 1024, "atqa": "0400", "current_step": "1", "sak": "08", "command_results": { "succeed": true, "results": [ { "result": "6F108408A000000151000000A5049F6501FF9000", "checker": "^(9000|6283)$", "command": "00A4040008A000000151000000", "index": "1" }, { "result": "00009255039623302507200200275CA42AD7108E8096B4EE56DD62399000", "checker": "^(9000)$", "command": "8050200008691C3B013B3EED18", "index": "2" } ] }, "aid": "", "action_type": "copyFareCard"}
你的任务: 首先手机处于被抓包的状态,然后点击复制门禁卡(需要未加密的门禁卡,后面的api才会被触发) 利用抓包和改包工具,在Request请求前,拦截这两个API请求,并修改这两个请求体的两个参数:uid和blockContent,最后复制成功后的卡就是你自定义的NFC数据了。 里面涉及较多电脑相关知识,无法做到一一解释,不懂可以问问百度。 安卓我不确定能不能抓包,安卓系统信任证书太严格了。iOS绝对有效,我写了一个thor脚本,会用thor的应该能明白怎么去自定义数据了。
|
【本文地址】